By Business Size

Digital Security & Data Breach Roundup

In This Issue:

Canadian Small Businesses are Ignoring Information Security Threats

Demonstrating a positive shift in behaviour compared to previous years, the 5th annual Shred-it Security Tracker revealed that c-suite executives have not only recognized the real threat posed by data breaches, they’ve also taken concrete steps to improve their security policies and procedures.

In contrast, small business owners have made very little headway in combating information security risks, demonstrating a growing divide between large organizations and small businesses when it comes to information security.

For instance, 65 percent of executives say they have protocols in place for storing and disposing of confidential data that is strictly adhered to by all employees, up from 42 percent in 2014. Comparatively, less than half (47 percent) of small businesses say they have protocols in place for storing and disposing of confidential data that is strictly adhered to by all employees and a shocking 37 percent have no protocol in place at all.

Large organizations are also becoming increasingly demanding of their suppliers, insisting that they too invest in information security. In fact, 45 percent of large organizations require suppliers to have an information security policy in place and 41 percent require a security breach response plan.

Small business owners must understand that if they continue to lag behind their larger counterparts, they’ll increasingly expose themselves to not only theft, fraud, and severe financial and reputational repercussions that may result in bankruptcy, but they also risk disqualifying themselves from working with large organizations that vet their suppliers.

For more results from the Shred-it 2015 Security Tracker visit our Resource Centre.

1. Online Predators and Digital Security

As organizations refresh computer hardware and digital storage, they are faced with the issue of what to do with their obsolete IT assets. Proper disposal and destruction of hard drive storage devices is important not only to keep confidential information safe, but also to keep organizations compliant with laws and legislations regarding the storage and disposal of Personal Health Information and Personal Identifying Information.

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets out legislation for how the private sector collects, uses or discloses personal information in the course of commercial activities. According to PIPEDA, personal information must be disposed of in a way that prevents a privacy breach.

PIPEDA also states that before disposing of electronic devices — such as computers, photocopiers and cellphones — organizations must ensure that all personal information is physically destroyed from the device’s hard drive.1

The most effective way to verify that confidential data found on these devices is completely gone and not susceptible to a privacy breach is to securely destroy the hard drive before disposing of it.

However, the 2015 Shred-it Security Tracker revealed that 40 percent of Canadian businesses surveyed have never disposed of hard drives, USBs or other hardware that contains confidential information.2 That translates into a lot of organizations that are not only risking the personal and confidential information of their customers and employees, but also risking compliance with PIPEDA.

A data breach has many consequences — financial loss, reputational damage and also legal repercussions. It is critical that organizations protect confidential information by removing and destroying unused hard drives.

2. Data Breach Roundup

In each edition we feature a high profile information security issue to show businesses how they can mitigate similar risks.

This quarter we’re featuring the Communications Security Establishment of Canada.

Communications Security Establishment (CSE): In response to an internal privacy violation, Canada’s electronic spy agency has introduced mandatory privacy awareness training for all employees. According to Greta Bossenmaier, chief of the Communications Security Establishment, corporate security officials were notified in July 2014 that a file containing personal information related to security clearances was mistakenly given public-access permission markings. An internal probe determined that the sensitive personal information of five individuals — four CSE employees and one member of the public — had been compromised.3 As a result, in March 2015 Bossenmaier ushered in a new policy on administrative privacy breaches and introduced mandatory privacy awareness training for all staff.

What do you do: When employees are unaware of the proper procedures for the management and destruction of confidential information, the organization faces a greater risk of fraud. Unfortunately, Canadian organizations all too often overlook the vulnerability within their workplace. According to the Shred-it 2015 Information Security Tracker, 36 percent of small businesses have never trained their staff on information security protocols and 29 percent of larger organizations only do so once a year

It is crucial that all employees not only know and understand their organization’s security policies and procedures, but truly commit to them and implement them correctly. There are concrete actions business leaders can take to ensure their information destruction policies and procedures are adhered to by all employees:

Frequent employee training: All companies should schedule on-going training to ensure employees are consistently familiar with the most updated document management policies and procedures.

Chief Information Security Officer (CISO): Appointing a Chief Information Security Officer (CISO), an individual responsible for overseeing the organization’s commitment to information security, helps reduce the risk of a security breach. It also helps to create a culture of security within the organization.

Practice group leaders: Every department within an organization has information that should be securely stored and destroyed once no longer needed. Having someone in each area of the business responsible for information security helps ensure all employees understand and follow policies.

Retention and destruction schedule: Eliminate any questions around document retention and destruction by clearly labelling all documents and document files by what they contain, how long they must be kept, and when they should be destroyed.

Revisit and assess existing policies: The best way to improve security in an organization is to conduct frequent audits to ensure that policies and procedures are able to combat threats as they emerge.

3. Customer Connections

Shred-it’s most important relationship is with its customers, which is why Shred-it Partners are trained to provide top level customer service and expertise. In each edition we highlight a Shred-it Partner that went above and beyond to provide exceptional customer service.

Arnold Rubio, CISP
CSR, Toronto

A partner with Shred-it for almost 10 years, Arnold Rubio is dedicated to not only helping his customers destroy their confidential information, but also assisting them with implementing information security policies and procedures. This commitment was clearly demonstrated during a routine visit to a local bank branch.

While emptying consoles during his service, Arnold discovered that cash had accidentally been placed into one of the locked bins. Realizing that an error may have been made, Arnold immediately alerted the Branch Manager and ensured the money was safely returned. Arnold also took the time to help the Branch Manager identify how the problem occurred and found a solution to mitigate the risk of cash accidentally falling into the consoles again. The Branch Manager was impressed with Arnold’s professionalism and confidentiality when he discovered the money, and also in working together with the team to implement a new procedure moving forward.

100% NAID Certified. North American Shred-it locations are NAID Certified for mobile document destruction, adhering to the stringent security practices and procedures established by the National Association for Information Destruction.

In compliance with the American Disabilities Act Amendment (ADAAA), Accessibility for Ontarians with Disabilities Act (AODA) and other state or province accessibility laws and regulations, if you use a screen reader and need help with this website or have feedback or inquiries about accessing material on this website because of a disability, contact Accessibility@stericycle.com.
Our policy is available in accessible formats upon request.